Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I display yesterday data when today's report did not run yet?

andregalera
Engager
‎07-06-2023 06:28 AM

Hey!

I have a dashboard that is updated everyday by a report that runs at 12:30 UTC. All the visualizations are displayed using the search time range "Today".

However, each day before 12:30 UTC, since the report did not run yet, all the visualizations display "no results found". Is there a way that if the report did not run yet, the dashboard displays the information from the past day?

I tried to expand the search time range for the past two days, however, most of the visualizations in based in displaying the number of machines of "today" by a specific type. Expanding the time range for the past two days, it happens to sum the count from the past day with today after 12:30 UTC.

 

| chart count as "# of Machines" by Classification MachineClass
| addtotals fieldname="Total (s)"

 

Does anyone have some idea or know how to do this? Thanks!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎07-08-2023 08:29 PM

Maybe you can describe the requirement more clearly.  I think the phrase "a dashboard that is updated everyday by a report" is inaccurate.  Do you mean that you have a data source in that dashboard that is updated by a report every day at a given time, but the search you talk about is run directly from the dashboard.  Because if the dashboard is populated by a scheduled report, there is nothing you can do to change what is displayed; in addition, a scheduled report will not change output until the next run, meaning that it would not show blank before that schedule time to start with.

If the above is correct, the problem can be restated as

  • if search time is after 12:30 UTC, search for events from "today"; else
  • search for events from "yesterday". (Alternatively, search is to include events from yesterday because today's events haven't arrived yet.

If that is the case, you can apply the idea of searching for 2 days, then filter for events on different days based on time of search.  The actual calculation will depend on what you consider today and yesterday relative to UTC.  The simplest case is when they coincide with UTC.  You can use something like this:

 

<initial search> earliest=-1d@d ``` that is beginning of yesterday ```
| eval today = relative_time(now(), "-0d@d")
| eval yesterday = relative_time(now(), "-1d")
| eval cutoff = if(strftime(now(), "%H%M") > "1230", today, yesterday)
| where _time > cutoff

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎07-08-2023 08:29 PM

Maybe you can describe the requirement more clearly.  I think the phrase "a dashboard that is updated everyday by a report" is inaccurate.  Do you mean that you have a data source in that dashboard that is updated by a report every day at a given time, but the search you talk about is run directly from the dashboard.  Because if the dashboard is populated by a scheduled report, there is nothing you can do to change what is displayed; in addition, a scheduled report will not change output until the next run, meaning that it would not show blank before that schedule time to start with.

If the above is correct, the problem can be restated as

  • if search time is after 12:30 UTC, search for events from "today"; else
  • search for events from "yesterday". (Alternatively, search is to include events from yesterday because today's events haven't arrived yet.

If that is the case, you can apply the idea of searching for 2 days, then filter for events on different days based on time of search.  The actual calculation will depend on what you consider today and yesterday relative to UTC.  The simplest case is when they coincide with UTC.  You can use something like this:

 

<initial search> earliest=-1d@d ``` that is beginning of yesterday ```
| eval today = relative_time(now(), "-0d@d")
| eval yesterday = relative_time(now(), "-1d")
| eval cutoff = if(strftime(now(), "%H%M") > "1230", today, yesterday)
| where _time > cutoff

 

 

Reply
Solved! Jump to solution

andregalera
Engager
‎07-11-2023 08:40 AM

This was exactly the problem and this is the solution I needed. Thank you very much @yuanliu !

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...